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Abstract. The model-checking problem for probabilistic systems cru- 
cially relies on the translation of LTL to deterministic Rabin automata 
(DRW). Our recent Safraless translation |KE12IGKEl2] for the LTL(F,G) 

£n , fragment produces smaller automata as compared to the traditional ap- 

^M • proach. In this work, instead of DRW we consider deterministic automata 

with acceptance condition given as disjunction of generalized Rabin pairs 
(DGRW). The Safraless translation of LTL(F,G) formulas to DGRW re- 
sults in smaller automata as compared to DRW. We present algorithms 
for probabilistic model-checking as well as game solving for DGRW con- 
ditions. Our new algorithms lead to improvement both in terms of theo- 
retical bounds as well as practical evaluation. We compare PRISM with 
and without our new translation, and show that the new translation 

rX3 ' leads to significant improvements. 

o ■ 

1 Introduction 

Logic for to-regular properties. The class of w-regular languages generalizes reg- 
ular languages to infinite strings and provides a robust specification language 
to express all properties used in verification and synthesis. The most convenient 
way to describe specifications is through logic, as logics provide a concise and 
intuitive formalism to express properties with very precise semantics. The linear- 
time temporal logic (LTL) |Pnu77j is the de-facto logic to express linear time 
w-regular properties in verification and synthesis. 
-yv , Deterministic co-automata. For model-checking purposes, LTL formulas can be 

converted to nondeterministic Biichi automata (NBW) JVW86] . and then the 
problem reduces to checking emptiness of the intersection of two NBWs (rep- 
resenting the system and the negation of the specification, respectively) . How- 
ever, for two very important problems deterministic automata are used, namely, 
(1) the synthesis problem Chu62 PR89 ; and (2) the model-checking problem 
for probabilistic systems or Markov decision processes (MDPs) BK08 which 
has a wide range of applications from randomized communication, to security 
protocols, to biological systems. The standard approach is to translate LTL to 
NBW VW86J , and then convert the NBW to a deterministic automata with Ra- 
bin acceptance condition (DRW) using Safra's determinization procedure [Saf88 
(or using a recent improvement of Piterman |Pit06j ). 
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Avoiding Safra's construction. The key bottleneck of the standard approach in 
practice is Safra's dctcrminization procedure which is difficult to implement due 
to the complicated state space and data structures associated with the con- 
struction |Kupl2 . As a consequence several alternative approaches have been 
proposed, and the most prominent ones are as follows. The first approach is the 
Safraless approach. One can reduce the synthesis problem to emptiness of nonde- 
terministic Btichi tree automata IKV05] ; it has been implemented with consider- 
able success in |JB06j . For probabilistic model checking other constructions can 
be also used, however, all of them are exponential [?,?]. The second approach 
is to use heuristic to improve Safra's determinization procedure [KB06 KB07 
which has led to the tool ltl2dstar |Kle] . The third approach is to consider frag- 
ments of LTL. In |AT04j several simple fragments of LTL were proposed that 
allow much simpler (single exponential as compared to the general double ex- 
ponential) translations to deterministic automata. The generalized reactivity(l) 
fragment of LTL (called GR(1)) was introduced in PPS06 and a cubic time sym- 
bolic representation of an equivalent automaton was presented. The approach has 
been implemented in the ANZU tool [JGWB07J . Recently, the (F, G)-fragment 
of LTL, that uses boolean operations and only F (eventually or in future) and G 
(always or globally) as temporal operators, was considered and a simple and di- 
rect translation to deterministic Rabin automata (DRW) was presented [KE12] . 
Not only it covers all fragments of |AT04] . but it can also express all complex 
fairness constraints, which are widely used in verification. 

Probabilistic model- checking. Despite several approaches to avoid Safra's deter- 
minization, for probabilistic model-checking the deterministic automata are still 
necessary. Since probabilistic model-checkers handle linear arithmetic, they do 
not benefit from the symbolic methods of [PPS06 MS08 or from the tree au- 
tomata approach. The approach for probabilistic model-checking has been to 
explicitly construct a DRW from the LTL formula. The most prominent proba- 
bilistic model-checker PRISM [KNP11] implements the ltl2dstar approach. 
Our results. In this work, we focus on the (F, G)-fragment of LTL. Instead of 
the traditional approach of translation to DRW we propose a translation to 
deterministic automata with generalized Rabin pairs. We present probabilistic 
model-checking as well as symbolic game solving algorithms for the new class 
of conditions which lead to both theoretical as well as significant practical im- 
provements. The details of our contributions are as follows. 
1. A Rabin pair consists of the conjunction of a Biichi (always eventually) and a 
coBuchi (eventually always) condition, and a Rabin condition is a disjunction 
of Rabin pairs. A generalized Rabin pair is the conjunction of conjunctions 
of Biichi conditions and conjunctions of coBuchi conditions. However, as 
conjunctions of coBuchi conditions is again a coBuchi condition, a general- 
ized Rabin pair is the conjunction of a coBuchi condition and conjunction 
of Biichi conditions^ We consider deterministic automata where the accep- 
tance condition is a disjunction of generalized Rabin pairs (and call them 

' Note that our condition (disjunction of generalized Rabin pairs) is very different 
from both generalized Rabin conditions (conjunction of Rabin conditions) and the 



DGRW). The (P, G) -fragment of LTL admits a direct and algorithmically 
simple translation to DGRW [KE12 and we consider DGRW for proba- 
bilistic mo del- checking and synthesis. The direct translation of LTL(F,G) 
could be done to a compact deterministic automaton with a Muller condi- 
tion, however, the explicit representation of the Muller condition is typically 
huge and not algorithmically efficient, and thus reduction to deterministic 
Rabin automata was performed (with a blow-up) since Rabin conditions ad- 
mit efficient algorithmic analysis. We show that DGRW allow both for a 
very compact translation of the (F, G)-fragment of LTL as well as efficient 
algorithmic analysis. The direct translation of LTL(F,G) to DGRW has the 
same number of states as for a general Muller condition. For many formulae 
expressing e.g. fairness-like conditions the translation to DGRW is signifi- 
cantly more compact than the previous ltl2dstar approach. For example, for 
a conjunction of three strong fairness constraints, ltl2dstar produces a DRW 
with more than a million states, translation to DRW via DGRW requires 
469 states, and the corresponding DGRW has only 64 states. 

2. One approach for probabilistic model-checking and synthesis for DGRW 
would be to first convert them to DRW, and then use the standard al- 
gorithms. Instead we present direct algorithms for DGRW that avoids the 
translation to DRW both for probabilistic model-checking and game solving. 
The direct algorithms lead to both theoretical and practical improvements. 
For example, consider the disjunctions of k generalized Rabin pairs such that 
in each pair there is a conjunction of a coBiichi condition and conjunctions 
of j Biichi conditions. Our direct algorithms for probabilistic mo del- checking 
as well as game solving is more efficient by a multiplicative factor of j and 
jk +k as cc , m p are d to the approach of translation to DRW for probabilistic 
model checking and game solving, respectively. Moreover, we also present 
symbolic algorithms for game solving for DGRW conditions. 

3. We have implemented our approach for probabilistic model checking in 
PRISM, and the experimental results show that as compared to the existing 
implementation of PRISM with ltl2dstar our approach results in improve- 
ment of order of magnitude. Moreover, the results for games confirm that 
the speed up is even greater than for probabilistic model checking. 

2 Preliminaries 

In this section, we recall the notion of linear temporal logic (LTL) and illustrate 
the recent translation of its (F,G)-fragment to DRW |KEI2IGKEJ"2] through the 
intermediate formalism of DGRW. Finally, we define an index that is important 
for characterizing the savings the new formalism of DGRW brings as shown in 
the subsequent sections. 

generalized Rabin(l) condition of Ehlll , which considers a set of assumptions and 
guarantees where each assumption and guarantee consists of one Rabin pair. Syn- 
tactically, disjunction of generalized Rabin pairs condition is \/ i (FGai A /\ . GFbij), 
whereas generalized Rabin condition is /\ .(\/ i (FGaij A GFbij)), and generalized 
Rabin(l) condition is (/\.(FGa,i A GFbi) =S> ^(FGaj A GFbj)). 



2.1 Linear temporal logic 



We start by recalling the fragment of linear temporal logic with future (F) and 
globally (G) modalities. 

Definition 1 (LTL(F,G) syntax). The formulae of the (F,G)-fragment of 
linear temporal logic are given by the following syntax: 



ip ::= a 



ia | ip A ip | ip V ip | Fp | Gp 



where a ranges over a finite fixed set Ap of atomic propositions. 

We use the standard abbreviations tt := a V -<a and ff := a A ->a. Note that 
we use the negation normal form, as negations can be pushed inside to atomic 
propositions due to the equivalence of Fip and -iG—iip. 

Definition 2 (LTL(F,G) semantics). Let w € (2 Ap Y be a word. The ith 
letter of w is denoted w[i], i.e. w = w[0]w[l] ■ ■ ■ . Further, we define the ith 
suffix of w as Wi = w[i]w[i + 1] ■ • • . The semantics of a formula on w is then 
defined inductively as follows: w \= a <=> a G w[0]; w |= ~^a <^=> a ^ w[0]; 
w \= (p A %jj <=^> w \= ip and w \= ^]j; w \= ip V ip <^=> w \= p or w \= %j>; and 



w \= Fip 
w \= Gp> 



3 k e No : w k |= ip 
Vfc G No : Wk \= p 



2.2 Translating LTL(F,G) into deterministic w-automata 



Recently, in KE12 GKE12 j , a new translation of LTL(F,G) to deterministic au- 
tomata has been proposed. This construction avoids Safra's determinization and 
makes direct use of the structure of the formula. We illustrate the construction 
in the following examples. 

Example 3. Consider a formula Fa V G6. The construction results in the follow- 
ing automaton. The state space of the automaton has two components. The first 
component stores the current formula to be satisfied. Whenever a letter is read, 
the formula is updated accordingly. For example, when reading a letter with no 
o, the option to satisfy the formula due to satisfaction of G6 is lost and is thus 
reflected in changing the current formula to Fa only. 

{6} 0,{6} 0,{a},{6},{a,6} 

a a a 

' W},{a,b} ( 

Marr - ■ F« V G/- \\l>\\- ■ Fa i I'M '< r 1 ; — i tt {0, {a}, {b}, {a, b}} 




The second component stores the last letter read (actually, an equivalence 
class thereof). The purpose of this component is explained in the next example. 
For formulae with no mutual nesting of F and G this component is redundant. 



The formula Fa V Gb is satisfied either due to Fa or G6. Therefore, when 
viewed as a Rabin automaton, there are two Rabin pairs. One forcing infinitely 
many visits of the third state (a in Fa must be eventually satisfied) and the 
other prohibiting infinitely many visits of the second and third states (6 in Gb 
must never be violated). The acceptance condition is a disjunction of these pairs. 

Example 4- Consider now the formula ip = GFa A GF->a. Satisfaction of this 

formula does not depend on any finite prefix of the word and reading {a} or 

does not change the first component of the state. This infinitary behaviour 

requires the state space to record which letters have been seen infinitely often 

and the acceptance condition to deal with that. In this case, satisfaction requires 

visiting the second state infinitely often and visiting the first state infinitely 

often. 

{a} 




However, such a conjunction cannot be written as a Rabin condition. In order 
to get a Rabin automaton, we would duplicate the state space. In the first copy, 
we wait for reading {a}. Once this happens we move to the second copy, where 
we wait for reading 0. Once we succeed we move back to the first copy and start 
again. This bigger automaton now allows for a Rabin condition. Indeed, it is 
sufficient to infinitely often visit the "successful" state of the last copy as this 
forces infinite visits of "successful" states of all copies. 

In order to obtain a DRW from an LTL formula, [KEI2 GKEI2] first con- 
structs an automaton similar to DGRW (like the one on the left) and then 
the state space is blown-up and a DRW (like the one on the right) is obtained. 
However, we shall argue that this blow-up is unnecessary for application in prob- 
abilistic model checking and in synthesis. This will result in much more efficient 
algorithms for complex formulae. In order to avoid the blow-up we define and use 
DGRW, an automaton with more complex acceptance condition, yet as we show 
algorithmically easy to work with and efficient as opposed to e.g. the general 
Mullcr condition. 

2.3 Automata with generalized Rabin pairs 

In the previous example, the cause of the blow-up was the conjunction of Rabin 
conditions. In [KE12J . a generalized version of Rabin condition is defined that 
allows for capturing conjunction. It is defined as a positive Boolean combination 
of Rabin pairs. Whether a set Inf (p) of states visited infinitely often on a run p 
is accepting or not is then defined inductively as follows: 



Inf (p) |= ip A ip 
Inf (p) \=(pVtp 
te(j>)\=(F,I) 



Inf(p) |= ip and Inf (p) |= ip 

Inf(p) \= (p or Inf (p) |= tp 

F n Inf (p) = and / n Inf (p) ^ 



Denoting Q as the set of all states, (F, I) is then equivalent to (F,Q) A (0, /). 
Further, (Fi,Q) A (F 2 , Q) is equivalent to {F\ L)F 2 ,Q). Therefore, one can trans- 
form any such condition into a disjunctive normal form and obtain a condition 
of the following form: 

V((^,q)a/\(0,^)] w 

i=l \ 3=1 J 

Therefore, in this paper wc define the following new class of w-automata: 

Definition 5 (DGRW). An automaton with generalized Rabin pairs (DGRW) 
is a (deterministic) to-automaton A = (Q,qo,5) over an alphabet S, where 
Q is a set of states, qo is the initial state, S : Q x S — > Q is a transition 
function, together with a generalized Rabin pairs (GRP) acceptance condition 

giZ C 2 2Q x2 ' 2Q . A run p of A is accepting for QTl = {(F it {#,... , if* }) i € 

{1, . . . , fc}} if there is i € {1, . . . , k} such that 

F t n Inf(p) = and 

l{ ("1 Inf (p) ^ for every j E {1, . . . , 4} 

iSac/i (Fi,Zi) = (Fi, {if, . . . , I t i } J is called a generalized Rabin pair (GRP), 
and the GRP condition is thus a disjunction of generalized Rabin pairs. . 

W.l.o.g. we assume k > and &i > for each i G {1, . . . , k} (whenever 4 = 0we 
could set Xj = {Q}). Although the type of the condition allows for huge instances 
of the condition, the construction of [KE12 (producing this disjunctive normal 
form) guarantees efficiency not worse than that of the traditional determinization 
approach. For a formula of size n, it is guaranteed that k < 2" and ii < n for each 
i £ {1, . . . , k}. Further, the size of the state space is at most 2°( 2 ™\ Moreover, 
consider "inftnitary" formulae, where each atomic proposition has both F and 
G as ancestors in the syntactic tree of the formula. Since the first component 
of the state space is always the same, the size of the state space is bounded by 
2' Ap ' as the automaton only remembers the last letter read. We will make use of 
this fact later. 

2.4 Degeneralization 

As already discussed, one can blow up any automaton with generalized Rabin 
pairs and obtain a Rabin automaton. We need the following notation. For any 
n £ N, let [l..n] denote the set {l,...,n} equipped with the operation © of 
cyclic addition, i.e. m 1 = m + 1 for m < n and n © 1 = 1. 

The DGRW defined above can now be degeneralized as follows. For each 
i e {1, . . . , fc}, multiply the state space by [l..£i] to keep track for which I\ we 
are currently waiting for. Further, adjust the transition function so that we leave 
the jth copy once we visit If and immediately go to the next copy. Formally, 
for a £ £ set (q, w±, . ■ ■ , Wk) — > {r, w[, . . . , w' k ) if q — > r and w[ = Wi for all i 
with q £ I™' and w[ = u>i © 1 otherwise. 

The resulting blow-up factor is then the following: 



Definition 6 (Degeneralization index). For a GRP condition Q1Z = {(Fi,Ii) 
i G [l..fc]}, we define the degeneralization domain B := IIj = i[l--|2i|] ond the de- 
generalization index of Q1Z to be \B\ = Yii=i 1^*1- 

The state space of the resulting Rabin automaton is thus \B\ -times bigger and 

the number of pairs stays the same. Indeed, for each i G {1, . . . , k} we have a 

Rabin pair ^ 

[Fi xB,l{< x{beB\b{i)=£ l }^ 

Example 7. In Example [3] there is one pair and the degeneralization index is 2. 

Example 8. For a conjunction of three fairness constraints ip = (FGa V GFb) A 
(FGc V GPd) A (FGe V GF/) , the Biichi components Z h 's of the equivalent GRP 
condition correspond to tt, b, d, f,bAd, bAf, dAf, bAdAf. The degeneralization 
index is thus \B\ = 1-1-1-1-2-2-2-3 = 24. For four constraints, it is 
1 • l 4 • 2 6 • 3 4 • 4 = 20736. One can easily see the index grows doubly exponentially. 

3 Probabilistic Model Checking 

In this section, we show how automata with generalized Rabin pairs can signifi- 
cantly speed up model checking of Markov decision processes (i.e., probabilistic 
model checking). For example, for the fairness constraints of the type mentioned 
in Example [8] the speed-up is by a factor that is doubly exponential. Although 
there are specialized algorithms for checking properties under strong fairness 
constraints (implemented in PRISM), our approach is general and speeds up 
for a wide class of constraints. The combinations (conjunctions, disjunctions) of 
properties not expressible by small Rabin automata (and/or Streett automata) 
are infeasible for the traditional approach, while we show that automata with 
generalized Rabin pairs often allow for efficient model checking. First, we present 
the theoretical model-checking algorithm for the new type of automata and the 
theoretical bounds for savings. Second, we illustrate the effectiveness of the ap- 
proach experimentally. 

3.1 Model checking using generalized Rabin pairs 

We start with the definitions of Markov decision processes (MDPs) , and present 
the model-checking algorithms. For a finite set V, let Distr(F) denote the set of 
probability distributions on V. 

Definition 9 (MDP and MEC). A Markov decision process (MDP) M = 
(V, E, (Vo, Vp), S) consists of a finite directed MDP graph (V,E), a partition 
(Vq, Vp) of the finite set V of vertices into player-0 vertices (Vo) and probabilistic 
vertices (Vp), and a probabilistic transition function 5: Vp — > Distr(V^) such that 
for all vertices u € Vp and v 6 V we have (u, v) £ E iff S(u)(v) > 0. 

An end-component U of an MDP is a set of its vertices such that (i) the 
subgraph induced by U is strongly connected and (ii) for each edge (u, v) £ E, if 
u G U l~l Vp, then v G U (i.e., no probabilistic edge leaves U). 

A maximal end-component (MEC) is an end-component that is maximal 
w.r.t. to the inclusion ordering. 



If U± and U2 are two end-components and Ui fl t/2 7^ 0, then C/i U U2 is also an 
end-component. Therefore, every MDP induces a unique set of its MECs, called 
MEC decomposition. 

For precise definition of semantics of MDPs we refer to |Put94j . Note that 
MDPs are also defined in an equivalent way in literature with a set of actions such 
that every vertex and choice of action determines the probability distribution 
over the successor states; the choice of actions corresponds to the choice of edges 
at player-0 vertices of our definition. 

The standard model-checking algorithm for MDPs proceeds in several steps. 
Given an MDP M. and an LTL formula ip 

1 . compute a deterministic automaton A recognizing the language of <p, 

2. compute the product M. = A4 X A, 

3. solve the product MDP M. 

The algorithm is generic for all types of deterministic w-automata A. The lead- 
ing probabilistic model checker PRISM KNP11 re-implements Itl2dstar Klc 
that transforms ip into a deterministic Rabin automaton. This approach em- 
ploys Safra's determinization and thus despite many optimization often results 
in an unnecessarily big automaton. 

There are two ways to fight the problem. Firstly, one can strive for smaller 
Rabin automata. Secondly, one can employ other types of w-automata. As to 
the former, we have plugged our implementation Rabinizer GKE12] of the ap- 
proach [KE12] into PRISM, which already results in considerable improvement. 
For the latter, Example |4] shows that Muller automata can be smaller than Ra- 
bin automata. However, explicit representation of Muller acceptance conditions 
is typically huge. Hence the third step to solve the product MDP would be too 
expensive. Therefore, we propose to use automata with generalized Rabin pairs. 

On the one hand, DGRW often have small state space after translation. 
Actually, it is the same as the state space of the intermediate Muller automaton 
of [KE12J . Compared to the corresponding naively degeneralized DRW it is \B\ 
times smaller (one can still perform some optimizations in the degeneralization 
process, see the experimental results). 

On the other hand, as we show below the acceptance condition is still algo- 
rithmically efficient to handle. We now present the steps to solve the product 
MDP for a GRP acceptance condition, i.e. a disjunction of generalized Rabin 
pairs. Consider an MDP with k generalized Rabin pairs (Fi, {If, . .. ,lf'}), for 
i = 1, 2, . . . , k. The steps of the computation are as follows: 

1. For i = 1,2,..., k; 

(a) Remove the set of states Fi from the MDP. 

(b) Compute the MEC decomposition. 

(c) If a MEC C has a non-empty intersection with each If , for j = 1, 2, . . . , £i, 
then include C as a winning MEC. 

(d) let Wi be the union of winning MECs (for the ith pair). 

2. Let W be the union of Wi, i.e. W = |J* =1 W t . 

3. The solution (or optimal value of the product MDP) is the maximal proba- 
bility to reach the set W. 



Given an MDP with n vertices and m edges, let MEC(n, m) denote the complex- 
ity of computing the MEC decomposition; and LP(n, m) denotes the complexity 
to solve linear-programming solution with m constraints over n variables. 

Theorem 10. Given an MDP with n vertices and m edges with k generalized 
Rabin pairs (i^, {il, . . . , 1^}), for i — 1, 2, . . . , k, the solution can be achieved in 
time 0(k- MEC(n,m) + n -]CiLi&) + 0(lP(n,m)). 

Remark 11. The best known complexity to solve MDPs with Rabin conditions 
of k pairs require time 0(k ■ MEC(n,m)) + 0(LP(n, m)) time [?]. Thus degen- 
eralization of generalized Rabin pairs to Rabin conditions and solving MDPs 
would require time 0(k ■ MEC(|B| • n, \B\ ■ m)) + 0(LP(|S| • n, \B\ ■ m)) time. The 
current best known algorithms for maximal end-component decomposition re- 
quire at least 0(m-n 2 / 3 ) time [?], and the simplest algorithms that are typically 
implemented require 0(n ■ m) time. Thus our approach is more efficient at least 
by a factor of B 5//3 (given the current best known algorithms) , and even if both 
maximal end-component decomposition and linear-programming can be solved 
in linear time, our approach leads to a speed-up by a factor of \B\, i.e. expo- 
nential in O(k) the number of non-trivially generalized Rabin pairs. In general 
if /3 > 1 is the sum of the exponents required to solve the MEC decomposition 
(resp. linear-programming), then our approach is better by a factor of \B\@ . 

Example 12. A Rabin automaton for n constraints of Example [5] is of doubly 
exponential size, which is also the factor by which the product and thus the run- 
ning time grows. However, as the formula is "infmitary" (see end of Section [2?3|) . 
the state space of the generalized automaton is 2 p and the product is of the 
very same size as the original system since the automaton only monitors the 
current labelling of the state. 

3.2 Experimental results 

In this section, we compare the performance of 

L the original PRISM with its implementation of Itl2dstar producing Rabin 
automata, 

R PRISM with Rabinizer JGKE12J (our implementation of |KE12j ) producing 
DRW via optimized degeneralization of DGRW, and 

GR PRISM with Rabinizer producing DGRW and with the modified MEC check- 
ing step. 

We have performed a case study on the Pnucli-Zuck randomized mutual 
exclusion protocol JPZ86 implemented as a PRISM benchmark. We consider 
the protocol with 3, 4, and 5 participants. The sizes of the respective models are 
s 3 = 2 368, 34 — 27 600, and s 5 = 308 800 states. We have checked these models 
against several formulae illustrating the effect of the degeneralization index on 
the speed up of our method; see Table [TJ 

In the first column, there are the formulae in the form of a PRISM query. 
We ask for a maximal/minimal value over all schedulers. Therefore, in the P m ax 
case, we create an automaton for the formula, whereas in the case of P m in we 



create an automaton for its negation. The second column then states the number 
i of participants, thus inducing the respective size Si of the model. 

The next three columns depict the size of the product of the system and 
the automaton, for each of the L, R, GR variants. The size is given as the 
ratio of the actual size and the respective Sj. The number then describes also 
the "effective" size of the automaton when taking the product. The next three 
columns display the total running times for model checking in each variant. 

The last three columns illustrate the efficiency of our approach. The first col- 
umn £r/£gr states the time speed-up of the DGRW approach when compared 
to the corresponding degencralization. The second column states the degeneral- 
ization index \B\. The last column £lAgr then displays the overall speed-up of 
our approach to the original PRISM. 

In the formulae, an atomic proposition pi — j denotes that the ith participant 
is in its state j. The processes start in state 0. In state 1 they want to enter the 
critical section. State 10 stands for being in the critical section. After leaving 
the critical section, the process re-enters state again. 

Table 1. Experimental comparison of L, R, and GR methods. All measurements 
performed on Intel i7 with 8 GB RAM. The sign "— " denotes either crash, out-of- 
memory, time-out after 30 minutes, or a ratio where one operand is — . 



Formula 


# 


s i ^i Sj 


£l £r £gr 


7^ \B\ 


*GR 


P max =?[GFpi=10 
A GFp 2 =10 
A GFp 3 = 10] 


3 

4 

5 


4.1 2.6 1 

4.3 2.7 1 

4.4 2.7 1 


1.2 0.4 0.2 

17.4 1.8 0.3 
257.5 15.2 0.6 


2.2 3 

6.4 3 

26.7 3 


6.8 

60.8 

447.9 


Pmax =?[GFpi = 10 A GFp 2 =10 
A GFp 3 =10 A GFp 4 =10] 


1 
5 


6 3.5 1 
6.2 3.6 1 


27.3 2.5 0.9 
408.5 17.8 0.9 


2.8 4 
20.4 4 


32.1 
471.2 


Pmin =?[GFpi=10 A GFp 2 = 10 
A GFp 3 =10 A GFp 4 =10] 


4 

5 


-11 
1 1 


- 36.5 36.3 

- 610.6 607.2 


1 1 
1 1 




P max =?[(GFpi=0 V FGpa^O) 
A(GFp 2 =0 V FGp 3 ^0)] 


3 

4 

5 


79.7 1.9 1 

- 1.9 1 

- 1.9 1 


225.5 4.1 2.2 

- 61.7 29.2 

- 1007 479 


1.8 2 
2.1 2 
2.1 2 


101.8 


Pmaa: = ?[(GFpi=0 V FGpi^O) 

A(GFp 2 =0 V FGp 2 ^0)] 


3 

4 

5 


23.3 1.9 1 

23.3 1.9 1 

- 1.9 1 


66.4 3.92 2.2 

551.5 61 28.2 

- 1002.7 463 


1.8 2 

2.2 2 
2.2 2 


30.7 
19.6 


Pmax =?[(GFpi=0 V FGp 27 ^0) 
A(GFp 2 =0 V FGp 3 /0) 
A(GFp 3 =0 V FGpi/0)] 


3 

4 

5 


- 16.3 1 

- - 1 

- - 1 


- 122.1 7.1 

- 75.6 

- 1219.5 


17.2 24 

- 24 

- 24 


- 


P max =?[(GFpi=0 V FGp 17 ^0) 
A(GFp 2 =0 V FGp 2 ^0) 
A(GFp 3 =0 V FGp 3 /0)] 


3 

4 

5 


- 12 1 

- 12.1 1 

- - 1 


- 76.3 7.2 

- 1335.6 78.9 

- 1267.6 


12 24 

19.6 24 

- 24 


- 


Pmm =?[(GFpi/10 V GFp 1= V FGpi = l) 
AGFpi/0AGFpi = l] 


3 

4 

5 


2.1 1 1 
2.1 1 1 
2.1 1 1 


1.2 0.9 0.8 

11.8 8.7 8.8 
186.3 147.5 146.2 


1 1 
1 1 
1 1 


1.5 
1.3 
1.3 


Pmax =?[(Gpi^lO V Gp 2 /10 V Gps^lO) 
A (FGpi^l V GFp 2 = 1 V GFp 3 = 1) 
A (FGp 2 /l V GFpj = 1 V GFp 3 = 1) 


3 

4 

5 


- 32 5.9 

- - 6.4 


- 405 80.1 
- 703.5 


5.1 8 

- 8 

- 8 


- 


P mln =?[(FGpi/0 V FGp 2 /0 V GFp 3 =0) 
V (FGpi/10 A GFp 2 = 10 A GFp 3 = 10) 


3 

4 

5 


55.9 4.7 1 

- 4.6 1 

- - 1 


289.7 12.6 3.4 

- 194.5 33.2 

543 


3.7 12 

5.9 12 
- 12 


84.3 
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Formulae 1 to 3 illustrate the effect of \B\ on the ratio of sizes of the product 
in the R and GR cases, see — , and ratio of the required times. The theoretical 
prediction is that sr/sqr = \B\. Nevertheless, due to optimizations done in the 
degeneralization process, the first is often slightly smaller than the second one, 
see columns — and B. (Note that Sgr/s^ is 1 for "infinitary" formulae.) For 
the same reason, j 3 *- is often smaller than \B\. However, with the growing size 
of the systems it gets bigger hence the saving factor is larger for larger systems, 
as discussed in the previous section. 

Formulae 4 to 7 illustrate the doubly exponential growth of \B\ and its impact 
on systems of different sizes. The DGRW approach (GR method) is often the 
only way to create the product at all. 

Formula 8 is a Streett condition showing the approach still performs compet- 
itively. Formulae 9 and 1 combine Rabin and Streett condition requiring both 
big Rabin automata and big Streett automata. Even in this case, the method 
scales well. Further, Formula 9 contains non-infmitary behaviour, e.g. Gpi^lO. 
Therefore, the DGRW is of size greater than 1, and thus also the product is 
bigger as can be seen in the sgr/si column. 

4 Synthesis 

In this section, we show how generalized Rabin pairs can be used to speed up 
the computation of a winning strategy in an LTL(F,G) game and thus to speed 
up LTL(F,G) synthesis. A game is defined like an MDP, but with the stochastic 
vertices replaced by vertices of an adversarial player. 

Definition 13. A game M. — (V,E, (Vq, Vi)) consists of a finite directed game 
graph (V, E) and a partition (Vb, VI) of the finite set V of vertices into player-0 
vertices (Vq) and player-1 vertices (V\). 

An LTL game is a game together with an LTL formula with vertices as 
atomic propositions. Similarly, a Rabin game and a game with GRP condition 
(GRP game) is a game with a set of Rabin pairs, or a set of generalized Rabin 
pairs, respectively. 

A strategy is a function V* —¥ E assigning to each history an outgoing 
edge of its last vertex. A play conforming to the strategy / of Player is any 
infinite sequence v$v\ • ■ ■ satisfying Vi+\ — f(vo ■ ■ ■ Vi) whenever Vi € Vb, and just 
(vi, Vi+i) G E otherwise. Player has a winning strategy ; if there is a strategy / 
such that all plays conforming to / of Player satisfy the LTL formula, Rabin 
condition or GRP condition, depending on the type of the game. For further 
details, we refer to e.g. |PP06] . 

One way to solve an LTL game is to make a product of the game arena 
with the DRW corresponding to the LTL formula, yielding a Rabin game. The 
current fastest solution of Rabin games works in time 0(mn k+1 kkl) [PP06] . 
where n = \V\,m = \E\ and k is the number of pairs. Since n is doubly ex- 
ponential and k singly exponential in the size of the formula, this leads to a 
doubly exponential algorithm. And indeed, the problem of LTL synthesis is 2- 
EXPTIME-complete [PR89| . 
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Similarly as for model checking of probabilistic systems, we investigate what 
happens (1) if we replace the translation to Rabin automata by our new trans- 
lation and (2) if we employ DGRW instead. The latter leads to the problem of 
GRP games. In order to solve them, we extend the methods to solve Rabin and 
Streett games of [PP06J . 

We show that solving a GRP game is faster than first degeneralizing them 
and then solving the resulting Rabin game. The induced speed-up factor is \B\ k . 
In the following two subsections we show how to solve GRP games and analyze 
the complexity. The subsequent section reports on experimental results. 

4.1 Generalized Rabin ranking 

We shall compute a ranking of each vertex, which intuitively states how far 
from winning we are. The existence of winning strategy is then equivalent to 
the existence of a ranking where Player can always choose a successor of the 
current vertex with smaller ranking, i.e. closer to fulfilling the goal. 

Let (V, E, (V , Vi)) be a game, {{F 1 ,X 1 ), . . . , (F k ,l k )} a GRP condition with 
the corresponding degeneralization domain B. Further, let n := \V\ and denote 
the set of permutations over a set S by SI. 

Definition 14. A ranking is a function r : V x B — >• R where R is the ranking 
domain {1, . . . , fc}! x {0, . . . , n} k+1 U {oo}. 

The ranking r(v,wf) gives information important in the situation when we are 
in vertex v and are waiting for a visit of I™ for each i given by wf 6 B. As 
time passes the ranking should decrease. To capture this, we define the following 
functions. 

Definition 15. For a ranking r and given v S V and wf € B, we define next„ : 
B -> B 

nvti v {wf){i) = I i{{) 

\wf(i) © i ifv ex i w 

and next : V x B — > R 

jmm {vw)eE r(w,next v (wf)) if v E V 
ncxt(u, wf) = < ^ ' 

(max (t]K)eB r(w, next„(iu/)) ifv€V x 

where the order on (wi ■ • • 7Tfc, WqWi ■ ■ ■ w k ) S R is given by the lexicographic order 
>i g on WQTriWiTT2W2 ■ ■ ■ T^kVJk and oo being the greatest element. 

Intuitively, the ranking r(v, wf) — (iri ■ ■ ■ TTk,woWi • ■ • Wk) is intended to bear the 
following information. The permutation tt states the importance of the pairs. The 
pair (F^ 1 ,I 7ri ) is the most important, hence we are not allowed to visit F^ 1 and 
we desire to either visit X Kl , or not visit F„ 2 and visit X 7r2 and so on. If some 
important Fi is visited it becomes less important. The importance can be freely 
changed only finitely many (io) times. Otherwise, only less important pairs can 
be permuted if a more important pair makes good progress. Further, Wi measures 
the worst possible number of steps until visiting X Wi . This intended meaning is 
formalized in the following notion of good rankings. 
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Definition 16. A ranking r is good if for every v G V, wf 6 B with r(v, wf) ^ 
00 we have r(v, wf) > v ,wf next(t>, wf). 

We define (tti • • • itk, wqWi ■ • ■ «>&) >u,™/ Wi ■ ■ • tfei WqU^ • ■ ■ u^) if either w$ > 
w' , or wo = uig iu«i/i >J TO f hold. Recursively, > l v w r holds if one of the following 
holds: 

— m — Tr' e , v Y= F 7ri and we > w' t 

— W£ = ir' t , v y= F„ t and v \= 1™£ 1 ' 

— ire = n'f, v Y= F 7re and we — w\ and > v + ^ f holds (where > v + ^ f never holds) 

Moreover, if one of the first three cases holds, we say that y v wf holds. 

Intuitively, > means the second element is closer to the next milestone and >- , 
moreover, that it is so because of the first £ pairs in the permutation. 

Similarly to [PP06J . we obtain the following correctness of the construction. 
Note that for \B\ = 1, the definitions of the ranking here and the Rabin ranking 
of JPP06J coincide. Further, the extension with \B\ > 1 bears some similarities 
with the Streett ranking of [PP06 . 

Theorem 17. For every vertex v, Player has a winning strategy from v if and 
only if there is a good ranking r and wf £ B with r{v, wf) ^ oo. 



4.2 A fixpoint algorithm 

In this section, we show how to compute the smallest good ranking and thus 
solve the GRP game. Consider a lattice of rankings ordered component- wise, i.e. 
T\ > c f2 if for every v 6 V and wf 6 B, we have r\(y, wf) >i g ^(v, wf). This 
induces a complete lattice. The minimal good ranking is then a least fixpoint of 
the operator Lift on rankings given by: 

Lift(r)(u, wf) — max {r(v, w/),min{a; | x > v ,wf next(i>, wf)}} 

where the optima are considered w.r.t. >i g . Intuitively, if Player cannot choose 
a successor smaller than the current vertex (or all successors of a Player 1 vertex 
are greater), the ranking of the current vertex must rise so that it is greater. 

Theorem 18. The smallest good ranking can be computed in time 0(mn k+1 kkl- 
\B\) and space (nk ■ \B\). 

Proof. The lifting operator can be implemented similarly as in [PP06 . With 
every change, the affected predecessors to be updated are put in a worklist, thus 
working in time 0{k -out-deg(u)). Since every element can be lifted at most |i?|- 
times, the total time is 0(J2 v ev J^wfeB k-out-deg(v)-\R\) = \B\km-n k+1 k\. The 
space required to store the current ranking is 0(J2 v£ v J2 w feB k) = n-\B\-k. D 
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We now compare our solution to the one that would solve the degeneralized 
Rabin game. The number of vertices of the degeneralized Rabin game is \B\ 
times greater. Hence the time needed is multiplied by a factor |5| fc+2 , instead of 
\B\ in the case of a GRP game. Therefore, our approach speeds up by a factor 
of |i?| fc+1 , while the space requirements are the same in both cases, namely 
0{nk ■ \B\). 

Example 19. A conjunction of two fairness constraints of example |8] corresponds 
to \B\ = 2 and k = 4, hence we save by a factor of 2 4 = 16. A conjunction of 
three fairness constraints corresponds to \B\ = 24 and k = 8, hence we accelerate 
24 8 « 10 11 times. 

Further, let us note that the computation can be implemented recursively as 
in [PP06J . The winning set is /iZ. <SV\{gil, tt, VZ) where CMK(0, y, W) = W, 

<sm(gTi,ip,w)= \J vY. [\ M x. ^(a^UCi^)},^^, 

»e[i..fe] je[i..|i s |] 



W V (ip A ->Fi A If A VY) V (ip A ->F A VX)\ 



V<p = {u e Vq I 3(«,w) S £ : w h ^1 u i u G ^i I V(u,«) £ £ : » h rf and 
^ and r/ denote the least and greatest fixpoints, respectively. The formula then 
provides a succinct description of a symbolic algorithm. 

4.3 Experimental Evaluation 

Reusing the notation of Section l3.2l we compare the performance of the methods 
for solving LTL games. We build and solve a Rabin game using 

L Itl2dstar producing DRW (from LTL formulae), 
R Rabinizer producing DRW, and 
GR Rabinizer producing DGRW. 

We illustrate the methods on three different games and three LTL formulae; 
see Tabled The games contain 3 resp. 6 resp. 9 vertices. Similarly to Section [3~2l 
Si denotes the number of vertices in the iih arena, sl,sr,«gr the number 
of vertices in the resulting games for the three methods, and £l,£r.,£gr the 
respective running times. 

Formula 1 allows for a winning strategy and the smallest ranking is relatively 
small, hence computed quite fast. Formula 2, on the other hand, only allows for 
larger rankings. Hence the computation takes longer, but also because in L and 
R cases the automata are larger than for formula 1. While for L and R, the 
product is usually too big, there is a chance to find small rankings in GR fast. 
While for e.g. FG(o V ->b V c), the automata and games would be the same for 
all three methods and the solution would only take less than a second, the more 
complex formulae 1 and 2 show clearly the speed up. 
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Table 2. Experimental comparison of L, R, and GR methods for solving LTL games. 
Again the sign "— " denotes either crash, out-of-memory, time-out after 30 minutes, or 
a ratio where one operand is — . 



Formula 


Si 


£L £R SQR, 


£l £r £gr 


j2t- \B\ 




(GFa A GF6 A GFc) 

V(GF^h A GF^o A GF^c) 


3 
6 
9 


22 7.3 4 
21.3 7.3 3.7 
20.6 7 3.6 


63.2 1.6 1.1 

878.6 14.1 7.3 

- 54.8 31.3 


1.4 9 

2 9 

1.8 9 


48.2 
130.3 


(GFa V FGb) A (GFc V GFno) 
A(GFcVGF^o) 


3 
6 
9 


21 10 4 
16.2 9.2 3.7 
17.6 9.2 3.6 


- 117.5 12 

- 196.7 

- 1017.8 


9.8 6 

- 6 

- 6 


- 



5 Conclusions 

In this work we considered the translation of the LTL(F,G) fragment to deter- 
ministic w-automata that is necessary for probabilistic model checking as well as 
synthesis. The direct translation to deterministic Muller automata gives a com- 
pact automata but the explicit representation of the Muller condition is huge and 
not algorithmically amenable. In contrast to the traditional approach of transla- 
tion to deterministic Rabin automata that admits efficient algorithms but incurs 
a blow-up in translation, we consider deterministic automata with generalized 
Rabin pairs (DGRW). The translation to DGRW produces the same compact 
automata as for Muller conditions. We presented efficient algorithms for prob- 
abilistic model checking and game solving with DGRW conditions which shows 
that the blow-up of translation to Rabin automata is unnecessary. Our results 
establish that DGRW conditions provide the convenient formalism that allows 
both for compact automata as well as efficient algorithms. We have implemented 
our approach in PRISM, and experimental results show a huge improvement over 
the existing methods. Two interesting directions of future works are (1) extend 
our approach to LTL with the U(until) and the X(next) operators; and (2) con- 
sider symbolic computation and Long's acceleration of nxpoint computation (on 
the recursive algorithm), instead of the ranking function based algorithm for 
games, and compare the efficiency of both the approaches. 
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A Proof of Theorem 17 (correctness of the ranking) 

A.l Soundness 

Lemma 20. For every good ranking r and vertex v with r(v, wf) ^ oo for some 
wf G B , Player has a winning strategy from v. 

Proof. We construct a strategy with memory B and memory update (v, wf) <— > 
next„(w/). When in vertex v with memory wf, the strategy chooses a successor v' 
for which r(v' , next„(w/)) = next(i>, wf), i.e. with the lowest admissible ranking. 
We prove it is winning from v. 

Consider an infinite play v a v l ■ ■ ■ conforming to the strategy and wf wf 
the corresponding memories and r^r 1 ■ ■ ■ the corresponding ranks r l — r(v l , wf 1 ) — 
(ir\ ■ ■ -ttI^Wq ■ ■ -w l k ). By definitions [TCI and IT51 r % > v % w n r t+1 for all i. 

Let l be the smallest number for which r m >~^ m wfm r m+1 for infinitely many 
m. Then for almost all i 

— r l are the same on the first I elements of both components, i.e. on each of 
■n\ to 7r| and w l to w\_ x , we denote the repetitive it\ by win, 

— thus also v l \fc F W i n , and 

— wf 1 are the same on the first £ — 1 elements, 

thus since [0..n] is well founded, wf 3 (win) gets all values from [l..|Zu,m|] infinitely 
often and v-' \= I% in infinitely often for each k and the winth pair is satisfied. □ 

A. 2 Completeness 

We use the standard ^-calculus and define an operator 9 of the controllable 
predecessor as follows: 

Vtp = {u G Vo | 3(u, v) S E : v \= ip} U {u € Vi | V(w, v) E E : v (= tp} 

Further, we define recursively 

<8m($,ip,w) = w 
<sm(gTZ,^,w)= V vY. f\ ^.^(gnMiF^ii)}^^,^, 

»e[i..fc] je[i..|i s |] 

W V (tp A -.Fi A J? A <?Y") V (p A -F A WT)) 

Let 2Uin(^7?.) be the set of winning vertices of Player with the winning condi- 
tion being the set Q1Z of GRPs. Then a simple adaptation of Claim 9 of [PP06 
to the setting with the conjunction yields an alternative characterization of the 
winning set. 

Lemma 21. For non-empty QTL, the set <&9\(Q1Z, if, W) is the winning region 
for Player and the winning condition 

\f I (<pA-F)UWVG(<pA-FA f\ FlA V (win(gil\ {(F,T)}) A G(ip A-F)] 
(FX)egv. \ je[i..|x|] 
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As a result, we get directly by JPP06J the following symbolic recursive algorithm. 

Lemma 22. mn(GTl) = \xZ. «5£K(</ft,tt,<?Z) 

It remains to show a good ranking on the vertices of Win(QTZ) using the char- 
acterization above. 

Lemma 23. There is a good ranking such that for every vertex v, from which 
Player has a winning strategy, there is a permutation wf 6 B with r(v, wf) ^ 

00. 

Proof. We show how to define good ranking on W\n(GlZ). To this end, we use 
the characterization above written more explicitly in the following algorithm 
(where all variables are local): 

Function mainGR(SetOfPairs) 

LeastFix(Z) 

Z := Rabin(SetOfPairs, true, Z>Z) 

End - LeastFix(Z) 

Return Z 
End 

Function GR(SetOfPairs, Invariant, AlreadyOk) 
Win := 
Foreach (F,T) e SetOfPairs 

RemainingPairs := SetOfPairs\{(T,:z:)} 
GreatestFix(Y) 

Foreach j e {l..\l\} 
conjunctionX :— true 
LeastFix(X) 

NewOk := AlreadyOk U (Invariant n^Fn P n W) U (Invariant n -.F n 9X) 
If (|RemainingPairs| = 0) 

X := NewOk 
Else 

X := Rabin(RemainingPairs, Invariant n -if, NewOk) 
End - If (|RemainingPairs| = 0) 
End - LeastFix(X) 

Let conjunctionX := conjunctionX n X 
End - Foreach j 
Let Y :— conjunctionX 
End - GreatestFix(Y) 
Let Win := Win U Y 
End - Foreach (F,Z) 
Return Win 
End 
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Similarly to |PP06j . we monitor the call stack of the procedure. We assgin 
a counter i to each least fixpoint (Z and all nested X's), starting from zero 
increasing every time next iteration is done. We consider configurations of the 
program where all greatest fixpoints are in their last iteration. 

Each of the states returned by mainGR gets a rank according to the first time 
it is discovered by the least fixpoints. For a given configuration, let p\- • -pk be 
the pairs handled by the nested calls of GR and ii • ■ • if. the k nested values of i's, 
i.e. the numbers of iterations of the nested least fixpoints (considering the last 
calls of the greatest fixpoints) and io the value of the counter for Z, and ji . . . jk 
the nested values of j. Let X5 m '„' lfc be the current values of the intersection X. 

•* Pl'"Pk 

Now for every vertex v in the returned set, and wf £ B, we set r(v, wf) to 
be the smallest (w.r.t. >i g ) element {jp\ ■ ■ ■ pk, iai\ ■ ■ ■ ik) of the ranking domain 
where v e X^.)'.^ and wf(n n ) — j n for all n. 

All other pairs (v, wf) get rank oo. 

The ranking can now be easily shown to be good following [PP06], since in 
order to discover a state, its successors must have been already discovered before 
and have thus a smaller ranking. □ 
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B Figures 



We give figures of the game family used for the experimental evaluation in sec- 
tion! 



2 A '\{{a},{b}} 



2 A "\{{a},{b}} 




2 A '\{{a},{b}} 



2 A > \ {{6}} 
2 A " \ {{c}} 



Fig. 1. Games used for the experiments in section l-Ol with Ap — {a, b, c}. 
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